Privacy overview

Unity Authentication - A white-labeled authentication solution that enables game developers to provide seamless and secure access to Unity Gaming Services for their players.

This documentation is intended to assist products to display their privacy compliance to Developers. It is not intended to be used as legal guidance or as a replacement to reading Unity’s Privacy Policy. If you have questions about a term used, please see the Glossary below.

If you have further questions about the privacy implications of your product, please email DPO@unity3d.com with your question. For expediency, please list the product about which you are inquiring.

Personal data collected about app users/game-players

Default Personal Data Collected (always collected in order for product to work)

  1. A unique Unity Authentication Service ID (UAS ID) is generated per user

Optional Personal Data Collected (personal data which may be collected at choice/action of the end user/Developer)

  1. External identifier such as ID or OpenID Connect subclaim from 3rd party identity providers
  2. Username
  3. Display name (if using PlayerNames feature)

Developer defines

While this product allows for the collection of developer defined data, we require that you not collect personal data through this mechanism. Our systems will not understand that it is personal data and so such would not be treated as such in retention processes or data subject requests.

Relationship under privacy laws

Under GDPR, Unity is the Processor. You, the developer, are a Controller.

Under CCPA (as modified by CPRA), Unity is the Service Provider. You, the developer, are the Business.

As we are a Processor, we do not determine the legal basis for processing. Instead, it is your responsibility as the Controller to determine such a legal basis.

N/A

Data subject requests

Two of the most common data subject requests based in law are the request for access to personal data and the request for deletion of personal data.

Access

This service has native functionality to support data access requests.

Option 1: Player Self-Service

As a developer, you can enable your players to retrieve their Unity Authentication account information. Please use Player info from Authentication SDK or Get Player from Authentication REST API.

Option 2: Admin API

As a developer, you can retrieve a player’s Unity Authentication account information. Please use Get Player from the Admin API.

Please note: this functionality only applies to this service. If you are using other services which collect app user personal data you will need to review that service's documentation for how it handles data access requests.

Option 3: Command Line Interface

As a developer, you can retrieve a player’s Unity Authentication account information. Please use Get Player from the Player Command Line.

Please note: this functionality only applies to this service. If you are using other services which collect app user personal data you will need to review that service's documentation for how it handles data access requests.

Deletion

This service has native functionality to support data deletion requests.

Option 1: Player Self-Service

As a developer, you can enable your players to delete their Unity Authentication account. Please use Delete Accounts from Authentication SDK or Delete Player from Authentication REST API.

Option 2: Unity Dashboard

You can delete a player in the Player Management from the Unity Cloud Dashboard.

  1. Select + under Shortcuts in the left panel.
  2. Search for Authentication and select to pin to the left.
  3. Select your project.
  4. Select the player to be deleted.
  5. Select Delete.
  6. Confirm to proceed.

Option 3: Admin API

You can use the Admin API to delete a player.

Option 4: Command Line Interface

As a developer, you can delete a player’s Unity Authentication account information. Please use Delete Player from the Player Command Line.

Please note: this functionality only applies to this service. If you are using other services which collect app user personal data you will need to review that service's documentation for how it handles data deletion requests.

Access

This service has no native functionality to support data access requests. You, the developer, are responsible for actioning them.

Dependencies

This product has no dependencies on other Unity products.

Data retention

By default, personal data is retained until the user or developer deletes the personal data through the mechanisms outlined in the deletion section above.

Child privacy

This service is not intended to be used in applications with child users, unless you, the developer, have obtained Verified Parental Consent where required as outlined in the Unity Terms of Service.

Privacy policy requirements

It is never appropriate to use Unity’s privacy policy for your application. You will need to ensure that the personal data practices are reflected in your own privacy policy.

Additionally, you will need to link out to our Privacy Policy from within your own, as required in the Unity Terms of Service.

Data processing agreement (DPA)

The Unity DPA applies to the transfer of data for this product.

Glossary & notable laws

  • GDPR - The General Data Protection Regulation (GDPR) took effect in the European Economic Area (EEA). References to GDPR also encompass UK GDPR which is the UK’s version of GDPR which applies post-Brexit.
  • CCPA - The California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (“CPRA”).
  • PIPL - In November of 2021, Personal Information Protection Law (PIPL) took effect in China.
  • LGPD - The Brazilian General Data Protection Law
  • VCDPA - The Virginia Consumer Data Protection Act
  • CPA - The Colorado Privacy Act
  • CTDPA - The Connecticut Data Protection Act
  • UCPA - The Utah Consumer Privacy Act
  • PIPEDA - The Canadian Personal Information Protection and Electronic Documents Act
  • COPPA - The Children’s Online Privacy Protection Act (COPPA) imposes restrictions on how data can be collected and used from children under the age of 13.
  • CARU - A self-regulatory organization for the promotion of responsible privacy practices to children under the age of 13
  • DPA - A Data Processing Addendum (or Data Processing Agreement) forms part of a contract and governs the rights and obligations of each party concerning the processing of personal data.
  • ATT - iOS 14 and later requires publishers to obtain permission to track the user's device across applications. This device setting is called App Tracking Transparency, or ATT.